topic Re: Trusted System Passwords in Operating System - HP-UX

Trusted System Passwords

Barry Mayfield — Fri, 12 May 2006 12:22:18 GMT

We're using an HP 9000 box running HPUX 11.0. We recently trusted our system.

We've got password requirements of a minimum of 8 characters, at least one of those being a digit, and at least one of those being a special character. (Ex: xfgdye1!)

What we have happening is users are creating a password longer than eight characters... using a digit and a special character as ninth and tenth characters for example... and once the password is set they are then able to log in to our system using only the eight characters. They have basically circumvented the digit and special character requirement.

We've fiddled with all we know how and can't come up with a fix to prevent folks from getting around the use of a digit and special character... and users are spreading the news.

Ideas?

Re: Trusted System Passwords

Chan 007 — Fri, 12 May 2006 12:48:48 GMT

Hi,

This link is really worth

http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=212256

Chan

Re: Trusted System Passwords

Greg Vaidman — Fri, 12 May 2006 13:27:22 GMT

Barry,

This is not normal behavior. On my 11i trusted system, when I enter a password of >8 characters, all the characters are required to log in.

1. Check your /etc/default/security file. Maybe some weird option in there?

2. Make sure you have all trusted system patches. Go to http://www1.itrc.hp.com/service/patch/search.do?BC=main|&pageOsid=hpux and search for the exact phrase "trusted system"

Re: Trusted System Passwords

Darrel Louis — Fri, 12 May 2006 15:25:39 GMT

Barry,

Can you check what the Maximum password lenght is:
/usr/lbin/getprdef -m maxpwln
With modprdef you can chang the value.

/usr/lbin/getprdef -r [-m option],option] [-b] [-p] [-t]
OPTIONS
-r raw display of the protected database field values
-m display the value of the option given. If -m is not specified,
all protected database fields will be displayed.
-b display password defaults
-p display time defaults
-t display login defaults
Boolean values are returned as YES, NO, or DFT (default).
A value of -1 indicates that the field is undefined.
The following values will be displayed or can be selected
using the -m option:

maxpwln maximum password length allowed

Goodluck

Darrel

Re: Trusted System Passwords

Barry Mayfield — Fri, 12 May 2006 15:57:09 GMT

Greg:
We're actually in the middle of assessing our current patch status and prepping for any updates we need. We'll definitely be looking at this to make sure we're covered as far as the trusting goes.

Thanks.

Darrel:
We're currently set at 16 maximum.

We use software that makes use of a telnet connection to our host (HPUX box). I currently have assigned myself a 16 character password but am logging in pretty as you please using only the first eight. Heh, heh.

Thanks folks for the help and other things to look at.

Re: Trusted System Passwords

Darrel Louis — Fri, 12 May 2006 16:01:37 GMT

Barry,

What's the patch level of your server, I'll test test it on one of the hp-ux 11.00 server.
What's the Openssh version you're using?

Darrel

Re: Trusted System Passwords

Darrel Louis — Fri, 12 May 2006 16:27:44 GMT

Barry,

To check the consistency of your /etc/passwd and trusted system password database, use the command:
/usr/sbin/authck

Darrel

Re: Trusted System Passwords

Bill Hassell — Fri, 12 May 2006 20:34:57 GMT

When did you create your long passwords -- before or after trusted conversion? An untrusted system will (incorrectly IMHO) let you enter 10, 20 30 or more characters for a password and then will accept anything past the first 8 characters. In other words, the untrusted system silently truncates all passwords to 8. When you converted, only those 8 came across as 8 and if the users use just 8, they will work fine. Add a 9th character to a login password attempt and it should fail because every character is used in a Trusted system.

To prove this, create a new password now that the system is Trusted. Make it 9 or 10 or 16, whatever. Then try a login with just the first 8. If the first 8 work OK, I would be very concerned about patches. Note that 11.0 is going out of support this year.